Results 1 to 12 of 12
Thread: DoS or DDos attacks prevention
-
06-07-2005, 01:46 AM #1Junior Guru Wannabe
- Join Date
- May 2004
- Posts
- 57
DoS or DDos attacks prevention
my server has been continuously attacked my Dos and DDos attacks that is why my hosting company(Hostcentric) saying. and that is making them shutdown my system again and again..
I do not have much knowledge about these attacks so kindly help me how to prevent these.
How do I find what sort of attacks are these and what firewall should I install to get rid of them..
Here is what server ppl told me::
>Outbound UDP FLood from D9024 I have unplugged D9024 from the network. It will stay off until 8pm tonight. Here is a sample of the flood that was occuring. (It came from a high, unpriveleged port).
>
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 16634 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 34124 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 46797 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 61447 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 25606 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 48586 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 13605 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 24248 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 62153 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 8577 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 45818 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 6461 46 (368bps 0%)
Please help me figure out from which port these attacks are arising..
and hot to preven them
-
06-07-2005, 04:38 AM #2WHT Addict
- Join Date
- Oct 2004
- Posts
- 133
This seems to me that it is internal attack from inside Hostcentric.
For instance another server with account(s) which was hacked.
The person that did that, uploaded flood tools and started to flood.
Unfortunately Hostcentric are not famous with their good DDoS prevention network.
In this case I can advise you only one - switch Data Centers.
Another solution would be to buy a DDoS prevention device, which is anything but cheap.
-
06-07-2005, 07:35 AM #3Web Hosting Master
- Join Date
- Aug 2004
- Location
- Karachi, Pakistan
- Posts
- 748
From the looks of it - it seems varunbihani's server at hostcentric is sending OUT UDP flood packets to the IP address (which happens to be in Spain). Unless I am reading it wrong.
The sysadmin message says "Outbound UDP FLood from D9024"
Most likely his system's been compromised and is now a hosts zombies for ddos.
Faisal"I drink too much. The last time I gave a urine sample it had an olive in it. ".
Rodney Dangerfield (from "I Get No Respect!").
-
06-07-2005, 10:43 AM #4Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
I'm sure that there are people with strong convictions as to which device might be used to limit DDOS attacks, but we use Cisco PIX to protect our servers. If your server is small/low bandwidth, you could get away with a $400 Cisco PIX 501, however, I would recommend getting into atleast a 506E ($800)
-
06-07-2005, 04:08 PM #5Web Hosting Master
- Join Date
- Aug 2004
- Location
- Karachi, Pakistan
- Posts
- 748
Putting a firewall in and turning the logging on, both on IN bound and OUT bound will tell you a lot about your problem. But like I said, I think your machine's infected/compromised as the initial readinds indicate an OUT bound UDP flood.
"I drink too much. The last time I gave a urine sample it had an olive in it. ".
Rodney Dangerfield (from "I Get No Respect!").
-
06-07-2005, 09:18 PM #6Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Why would he need a firewall, when HE is the one sending the attacks.
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 16634 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 34124 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 46797 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 61447 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 25606 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 48586 92 (736bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 13605 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 24248 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 62153 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 8577 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 45818 46 (368bps 0%)
>00:40:F4:4E:99:C2 -> 00:00:0C:07:AC:00 209.25.178.53 -> 213.149.239.197 udp 35349 -> 6461 46 (368bps 0%)
Just dns the ip in his signature. 209.25.178.53 is his server ip.
varunbihani unless you can pay someone to fix your server, you will need resonable linux knowledge for people on here to help you.
paste the output of the following
Code:ps aux netstat -npl ls -al /tmp
Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
06-08-2005, 04:00 AM #7Junior Guru Wannabe
- Join Date
- May 2004
- Posts
- 57
Is this caused by some unwanted/malicious script/programe on my server?? how can nebody from outside the network do such things on my server.. I would like to know the root cause of this..
My server ppl (hostcentric) are not willing to provide any help, whatsoever..
What should I do now?? Shall I ask for a OS reload?? will that get rid of the attacks..
-
06-08-2005, 04:04 AM #8Web Hosting Master
- Join Date
- Aug 2004
- Location
- Karachi, Pakistan
- Posts
- 748
Well the reasons could be many. Yes, someone from the outside can compromise your server - if it is not adequately secured. I suggest you get in touch with www.rack911.com - Steve and take on one of this security hardening pacthes, etc. Steve should be able to help you out in securing the box.
"I drink too much. The last time I gave a urine sample it had an olive in it. ".
Rodney Dangerfield (from "I Get No Respect!").
-
06-08-2005, 05:01 AM #9Web Hosting Master
- Join Date
- Aug 2004
- Location
- Karachi, Pakistan
- Posts
- 748
HostGeekZ by ptting a firewall in he can easily see what is traversing through his network, in this case he could simply have put a policy to deny UDP outbound on port 35349. He might or might not have access to the machine, but he can surely control what's coming and going to it. Its an added buffer (or luxury if that may be the case).
"I drink too much. The last time I gave a urine sample it had an olive in it. ".
Rodney Dangerfield (from "I Get No Respect!").
-
06-08-2005, 10:09 AM #10Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Originally posted by Babushka99
HostGeekZ by ptting a firewall in he can easily see what is traversing through his network, in this case he could simply have put a policy to deny UDP outbound on port 35349. He might or might not have access to the machine, but he can surely control what's coming and going to it. Its an added buffer (or luxury if that may be the case).
What is the point of that when the vulnrable scripts are still there, and then they can attack someone else.
-ScottServer Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
06-09-2005, 09:34 AM #11Newbie
- Join Date
- Jun 2005
- Posts
- 12
Hi all,
I agree with HostGeekZ here, there would be no point putting a firewall in place at this point as the system has some script of some sort causing this OUTBOUND udp attack, I would suggest getting a Linux admin to take a look at you're server. If this is not possible please do as suggested above;
run the commands;
ps aux
netstat -npl
ls -al /tmp
maybe install chkrootkit, and post the output of them all.Shared Hosting • Reseller Hosting • Domain Registration
Free 24/7 support • H-Sphere control panel
www.GuardianServe.com
sales@GuardianServe.com
-
06-09-2005, 09:43 PM #12Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
Originally posted by GuardianServe
Hi all,
I agree with HostGeekZ here, there would be no point putting a firewall in place at this point as the system has some script of some sort causing this OUTBOUND udp attack, I would suggest getting a Linux admin to take a look at you're server. If this is not possible please do as suggested above;
run the commands;
ps aux
netstat -npl
ls -al /tmp
maybe install chkrootkit, and post the output of them all.